Overview
overview
10Static
static
1-253002104...DA.exe
windows7-x64
10-253002104...DA.exe
windows10-2004-x64
10-253002104...c_.dll
windows7-x64
3-253002104...c_.dll
windows10-2004-x64
3-253002104...m_.dll
windows7-x64
3-253002104...m_.dll
windows10-2004-x64
3-253002104...t_.dll
windows7-x64
3-253002104...t_.dll
windows10-2004-x64
3-253002104...20.dll
windows7-x64
3-253002104...20.dll
windows10-2004-x64
3-253002104...20.dll
windows7-x64
3-253002104...20.dll
windows10-2004-x64
3Analysis
-
max time kernel
161s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2024 20:46
Static task
static1
Behavioral task
behavioral1
Sample
-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO/1 DEMANDA.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO/1 DEMANDA.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO/madbasic_.dll
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO/madbasic_.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO/maddisAsm_.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO/maddisAsm_.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO/madexcept_.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO/madexcept_.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO/rtl120.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO/rtl120.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO/vcl120.dll
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO/vcl120.dll
Resource
win10v2004-20241007-en
General
-
Target
-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO/1 DEMANDA.exe
-
Size
163KB
-
MD5
0588ce0c39da3283e779c1d5b21d283b
-
SHA1
1f264a47972d63db2cde18dc8311bc46551380eb
-
SHA256
d5a6714ab95caa92ef1a712465a44c1827122b971bdb28ffa33221e07651d6f7
-
SHA512
a5f97ac156d081cb4d9b3f32948eea387725c88af0f19e8bc8db2058a19e211648b7fd86708ff5e1db8f7b57ca3ab8edeba771c9d684c53bcb228ca71adab02a
-
SSDEEP
3072:yK2FRsfrS8Ywp3GKJ7hDD/vRvDTX8QlevsqYau7j7/EecxurY:x1TSG/XT5Fau7pXk
Malware Config
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
SERVER
asxyz.duckdns.org:52350
AsyncMutex_6SI6TOGjnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
1 DEMANDA.execmd.exedescription pid process target process PID 3528 set thread context of 2948 3528 1 DEMANDA.exe cmd.exe PID 2948 set thread context of 1524 2948 cmd.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1 DEMANDA.execmd.exeMSBuild.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1 DEMANDA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
1 DEMANDA.execmd.exepid process 3528 1 DEMANDA.exe 3528 1 DEMANDA.exe 2948 cmd.exe 2948 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
1 DEMANDA.execmd.exepid process 3528 1 DEMANDA.exe 2948 cmd.exe 2948 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1524 MSBuild.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1 DEMANDA.execmd.exedescription pid process target process PID 3528 wrote to memory of 2948 3528 1 DEMANDA.exe cmd.exe PID 3528 wrote to memory of 2948 3528 1 DEMANDA.exe cmd.exe PID 3528 wrote to memory of 2948 3528 1 DEMANDA.exe cmd.exe PID 3528 wrote to memory of 2948 3528 1 DEMANDA.exe cmd.exe PID 2948 wrote to memory of 1524 2948 cmd.exe MSBuild.exe PID 2948 wrote to memory of 1524 2948 cmd.exe MSBuild.exe PID 2948 wrote to memory of 1524 2948 cmd.exe MSBuild.exe PID 2948 wrote to memory of 1524 2948 cmd.exe MSBuild.exe PID 2948 wrote to memory of 1524 2948 cmd.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO\1 DEMANDA.exe"C:\Users\Admin\AppData\Local\Temp\-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO\1 DEMANDA.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
777KB
MD51bb824cd96c68e6ef27ffa90bc900024
SHA1895003002b0d812b6723c76f750941165d285629
SHA25685e77c60eebb2f41882a26516f43175f65e6c387937fe88b527ea6351f3b3cf1
SHA5124e36a0c03fb76de54023e97a11c5edd32346ff7c05deccbe3b1d46a2e82dd0a8c4d310ba62cf1f7323ba95c2043d2de76d4eaeb84458f8b645e1758332d9421c